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We show that a biased quantum coin flip (QCF) cannot provide the performance of a black-boxed 
biased coin flip, if it satisfies some fidelity conditions. Although such a QCF satisfies the security 
conditions of a biased coin flip, it does not realize the ideal functionality, and therefore, does not 
fulfill the demands for universally composable security. Moreover, through a comparison within a 
small restricted bias range, we show that an arbitrary QCF is distinguishable from a black-boxed 
coin flip unless it is unbiased on both sides of parties against insensitive cheating. We also point out 
the difficulty in developing cheat-sensitive quantum bit commitment in terms of the uncomposability 
of a QCF. 



PACS numbers: 03.67.Dd, 03.67.Mn 



Consider Alice and Bob who have just divorced. They 
agree to flip a coin to decide who gets their car, but they 
live in different cities. How do they flip a coin by tele- 
phone? This is a well-known introduction to a coin flip 
[l|, which is now an important cryptographic primitive 
on a communication network. Another important prim- 
itive is bit commitment (BC). The purpose of BC is to 
realize the scenario in which Alice commits to a bit (b) 
and later she reveals it; this is done such that Bob cannot 
know b until Alice reveals it and she must reveal b as it 
is. A fair coin flip is realized by using secure BC in the 
following way: Alice first commits to b, Bob next sends 
b' to Alice, and she reveals b. Then, b®b' is a fair random 
bit, because Bob cannot know b before choosing b' and 
Alice cannot change b after knowing b' . 

An effort was made to construct unconditionally se- 
cure quantum BC (QBC), but unfortunately it was shown 
that all previously proposed QBC protocols are broken 
by the so called entanglement attack [2]. After contro- 
versial discussions, it was then generally accepted that 
unconditionally secure QBC is impossible [l| • It was also 
proved that a perfectly fair quantum coin flip (QCF) is 
impossible [4|, |5|, |g, [7| . 

Fortunately, quantum mechanics enables biased coin 
flipping @, I, i, G3, G3. In a biased QCF, if both Al- 
ice and Bob are honest, the outcome is either or 1, 
each with probability 1/2. A dishonest party can cheat 
to bias the probability to 1/2 + e, but it is ensured that 
the amount of the bias satisfies |e| < 1/2; so a dishon- 
est party cannot fully control the outcome. Moreover, 
when a dishonest party tries to largely bias the probabil- 
ity, a honest party sometimes obtains the outcome reject, 
which conclusively identifies the presence of cheating. In 
this paper, however, we only consider insensitive cheating 
such that the outcome reject never occurs. Even through 
insensitive cheating, a dishonest party can generally bias 
the probability, whose maximum (or minimum) is called 
the threshold for cheat sensitivity 

On the other hand, let us imagine ideal biased coin 
flipping such that a black-box outputs a common ran- 
dom bit to both parties. A dishonest party can bias the 
probability of the outcome but can do nothing else be- 



cause the party cannot touch the inside of the box at all. 
A biased QCF, at first glance, realizes the black-boxed 
coin flip, because it is ensured by the laws of physics that 
the bias range is limited to |e| < 1/2 against all possible 
operations for cheating. 

In this paper, however, we show that a biased QCF 
generally does not provide the performance of a black- 
boxed biased coin flip, when it is used to resolve a quan- 
tum dilemma. Although such a QCF satisfies the se- 
curity conditions of a biased coin flip, it does not realize 
the ideal functionality. This warns that, if a QCF is com- 
bined with another quantum cryptographic protocol, an 
unexpected security hole will occur. 

Now, let us introduce a quantum dilemma where, in 
some sense, the car in the previous dilemma concerning 
divorce is replaced with a fully quantum object: an en- 
tangled state. Suppose that Alice is required to send half 
of a maximally entangled state to Bob. However, Bob is 
doubtful whether she sends the entangled state honestly. 
On the other hand, dishonest Bob sometimes destroys the 
shared entanglement and Alice worries about this. At a 
later time, Bob wishes to confirm that Alice has honestly 
sent the entangled state, and Alice wishes to confirm that 
the entanglement has been maintained safely. Therefore, 
both wish to get the whole state in her/his hand, be- 
cause the entanglement cannot be evaluated from their 
half of the state (this situation is analogous to quantum 
bit escrow [8[ as we will discuss later). 

Since both wishes cannot be satisfied simultaneously, 
let us introduce a coin flip to resolve this dilemma, and 
thus consider the following protocol: 

Protocol 1 (sharing and maintaining entanglement) 

Stage 1 (sharing): Alice prepares \4>)ab = (1 00) + 
|ll))/\/2 and sends the B qubit to Bob. This maximal 
entanglement is to be shared and maintained. 

Stage 2 (coin flip): Alice and Bob execute a coin flip- 
ping subprotocol. If the output of the subprotocol is 
(1), Alice (Bob) loses the coin flip. 

Stage 3 (verification) : The winner of the coin flip ob- 
tains both A and B qubits and checks whether or not 
the state of the AB qubits is \4>) by a projective mea- 
surement. If the state is not \<j>), the party detects the 
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cheating of the other party with nonzero probability. 

Suppose that Alice is dishonest and sends a partially 
entangled state \$(a)) AB = y/a\00)+y/l-a\ll) (l/2<a< 
1) instead of \<f>) in the stage 1. Let Pd be the probability 
that Bob detects this cheating. The performance of the 
protocol is characterized by the minimal value of Pd for 
a given a. Let us consider the case where a black-boxed 
coin flip is used in the stage 2. The allowable maximal 
(minimal) bias of the probability of the outcome is e max 
(emin) and e m i n < < e max . Exploiting this controllable 
bias range, Alice tries to decrease Pd- However, as proved 
later, the best strategy is to constantly bias the proba- 
bility to l/2+e m i n , and to send the A qubit as it is in the 
stage 3, when she loses the coin flip. Namely, 
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Our concern is whether or not a QCF can provide the 
same performance. To investigate this, let us recall a 
unitary model of a QCF [f| 0] , where all classical com- 
munication is replaced by quantum communication and 
all measurements are postponed until the end of the pro- 
tocol. We can thus assume that Alice or Bob's operation 
in each round is a unitary transformation. Following the 
model in Q, let |V>ini) be an initial state of the proto- 
col. Alice first applies U\ to her own qubits and sends 
some qubits to Bob, and then Bob applies XJi and sends 
some qubits to Alice. They repeat this and the final 
state after all the rounds is IV'fin) = (• • • t^t^^Ol^im)- 
Alice and Bob then measure IV'fin) to obtain the out- 
come. When both are honest, they can obtain or 1 
with probability 1/2, and so |V>fin) is decomposed such 
that IV'fin) = |^o) + l^l) j where \i/j c ) is a part of lead- 
ing to the outcome c, (V'olV'i) — 0, and \\ipc\\ 2 = 1/2. 
Moreover, since both must know the outcome certainty, 
F(Qx,o,Qx,i) = Q, where F(g, a) = {tTy/g 1 / 2 ag 1 / 2 ) 2 is the 
fidelity and gx,c is the normalized reduced state of \ip c ) 
for the party X = A, B @|. 

Let e max be the possible maximal bias for the out- 
come of this QCF, which is achieved if Alice ap- 
plies U[ instead of Ui. The final state is then \tjj' 6n } = 
(• • • U^U 2 U{M ni ) = \%) + where (^1) = and 
||^q|| =l/2+e max . Moreover, g' B c , which is the reduced 
state of IV'c)) must not be conclusively distinguished from 
Qb.c by Bob so that the cheating is insensitive [hence 
supp(g' B c ) C supp(gs jC ) where supp(g) denotes the sup- 
port space of g\. Since Alice must know the outcome 
certainty, F(g' A , g' A 1 ) = 0; otherwise the cheating is sen- 
sitive due to the disagreement of their outcomes. Like- 
wise, let e m i n be the minimal bias that is achieved by 
U". The corresponding final state, the reduced state, 
and so on, are also indicated by the double prime. These 
satisfy the same conditions as in the e max case, except 
|W|| 2 = l/2 + e min . 

Now, let us consider Alice's cheating strategy for the 
protocol 1. In the QCF subprotocol executed in the stage 



2, she applies the controlled unitary transformations 

Ot = |0>(0|A®C^'+|l)(lU®I^ (2) 

to |$(a)) AB®\ipim) ■ The whole state after all the rounds 
of the QCF subprotocol is 



V5|00)ab®(K> + W)) + VT^|11)ab®(|^o) + K)) 
+ v/i|00)AB®K) + VT^ a|ll)AB®K)- (3) 

The first two and the last two terms in Eq. lead to 
the outcomes and 1, respectively. Since Bob's reduced 
state of the system employed for the QCF is ag" B c +(l — 
a)g' B c for the outcome c, and supp(p'g c ), supp(p' B c ) C 
supp(gB. c ), he knows the outcome certainty by a regular 
measurement. Alice's reduced state is a|0)(0|A<£>£?A,c+(l — 
a)|l)(l|A<B>f?A c> an d she can obtain the outcome certainty 
using the projector |0)(0|A®n / c '+|l)(l|A®nj., where U' c 
(II") distinguishes g' A and g' A1 (g A0 and g A1 ). These 
projectors exist because F(g' A0 , g' Al ) = F(g A , g" A 1 ) = 
0. Suppose that the outcome of the QCF is 0; the 
state of the AB qubits will be checked by Bob in the 
stage 3. Before Alice sends the A qubit to Bob, she ap- 
plies |0)(0|a <8> I + |1)(1|a ® V; where V maximizes the 
overlap between |^q) and \tp' ) such that |{^q |V|^q)| 2 = 
WfUofF(Q Bfi ,g Bfi ) M- Through this procedure, 
the whole state becomes \^o} = ^E\00)ab ® l^o) + 
— cl\11)ab (8 V\ipo), and Pd in this strategy is 



P? =tr[|*o)<*o|(/-|^>^|) 



AB 



= |[a(|+emin) + (l-a)(5+e ma x)] 
- [a (1 - a) (| + emin) ( | + e max )F 



1/2 



(4) 



where F = F(g' B , g" B ). Comparing Eqs. ([T]) and (j4]), it 



is found that Pf <Pd° 



if 1 > a > 



4(Vr r F-l) 2 +(r-l) 1 



and 



F > 1/r = (1 + 2e min )/(l + 2e max ). 



(5) 



This result shows that, if a QCF has the property of 
Eq. ([5]), there exists a finite range of a in which P® < 
Pd° x - Therefore, it is concluded that such a QCF cannot 
provide the performance of a black-boxed coin flip. 

The point of the above cheating strategy is that it 
is possible to superpose two biasing operations U[ and 
U" . This enables to correlate the state of the AB qubits 
with the outcome of the QCF such that the state is more 
entangled than |$(<z))ab whenever Alice loses the QCF 
(and thus Pd decreases). For this purpose, Alice utilizes 
the difference of HV'oll an( i IIV'oll (*- e -; difference of e max 
and e m in). However, this procedure has created undesired 
entanglement between the AB qubits and the system em- 
ployed for the QCF, and so Alice needs to disentangle 
them; otherwise the entanglement of the AB qubits will 
be washed out by the undesired entanglement. This is 
done by increasing the overlap between |^>q) and |^>q). 
Note that the disentangling process is incomplete (unless 
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F = 1), and as a result, the state of the AB qubits (the 
reduced state of |W )) is a mixed state. Equation (JSJ) 
agrees with the condition that this mixed state is more 
entangled than |$(a)) in the measure of negativity (l3l |. 

As shown above, a QCF does not provide the per- 
formance of a black-boxed coin flip, if it satisfies Eq. 
([5]). To further investigate this, let us introduce the 
following biasing operation: Suppose that Alice has a 
local ancilla qubit and she prepares the initial state 
IV'ini) ® (Vl-x\0) a + y/x\l) a ) for the QCF, where the 
subscript a denotes the ancilla qubit. Then, if she ap- 
plies Ui = Ui®\0){0\ a + U-' ®|l)(l| a to the initial state 
[do not confuse this with Eq. J2J], the QCF is biased 
by xe m i n . Moreover, when the outcome is 0, Bob's re- 
duced state is qb,o = Qb,q + x(g B0 ~ 6b,o), an d hence 
F{x)=F{qb,o, q b ,q) = 1— 0(x 2 ) [3]. Now, let us imagine 
a special circumstance where Alice's ability is restricted 
such that she can only use Ui for biasing the QCF (the 
point is that she cannot directly employ U"). As a re- 
sult, the bias of the QCF is restricted within [xe min ,0], 
and therefore, it may be natural to compare it with the 
black-boxed coin flip with the same bias range. Then, if 
Alice adopts the cheating strategy like Eq. @ , where Ui 
and Ui are superposed as Oi = |0}(0|A®f^ + |l)(lU®^i 
to decrease Pd, we have Eq. |[5j| in which e max and e m i n 
is replaced by and xe min , respectively; so P® < P^ ox 
if F(x) > l + 2xe m - ln . However, this fidelity condition is 
always satisfied for x — > because F(x) = 1 — 0(x 2 ) as 
mentioned above. The same discussion holds if the bias 
is restricted within [0,xe ma x]- In this way, an arbitrary 
QCF is distinguishable from a black-boxed coin flip (as 

p d < p d° x ) unless the Q CF is unbiased against insensi- 
tive cheating (if we compare them around e = 0). 

To see these results graphically, the following two 
bounds are plotted in Fig. [TJ 



(I) F(e) > 1/(1 + 2e) for e n 



= and e = a;e max >0, 



(II) F(e) > 1 + 2e for e roax = and e=xe min <0. 

If the fidelity F of the QCF, whose bias is forcedly re- 
stricted within (I) [0, e] and (II) [e,0], is located out- 
side the gray region, the QCF is distinguishable from 
the black-boxed coin flip with the same bias range. The 
fidelity for some of the proposed QCF protocols is also 
plotted for a comparison. 

All of the above discussions hold when Bob is dishon- 
est. This is because the protocol 1 is essentially sym- 
metric with respect to parties, if we assume that Bob's 
dishonest action in the stage 1 is to perform the following 
positive operator valued measurement (POVM) of the B 
qubit: 



M 

Mi = vT 



VE\o){o\ + VT=E\i){i\, 
-o|o)<o| + V5|i)<i|, 



(6) 



where MqM$\-M\Mi = 1b- Depending on the outcome of 
the POVM, the post-measured state becomes \$(o))ab 
or |$(1— o))ab, each with probability 1/2. He then tries 
to decrease Pd- For |$(a)), the same cheating strategy as 




FIG. 1: Bound for fidelity (F) as function of bias (e). If a 
QCF is located outside the gray region, it is distinguishable 
from a black-boxed coin flip. The fidelity for the QCF pro- 
tocols proposed in |{J, and [llj is also plotted, where we 
assumed dishonest Bob. Two ends of each line correspond to 
the maximal and minimal bias for each QCF protocol. 



used with dishonest Alice is applicable. This is the case 
for |$(1— a)), if the role of |0)s and \1)b is exchanged in 
the controlled operations of the cheating strategy. Then, 
we have the same bound for F = F(g' A v g" A t ), but e max 
and e m i n must be read as those for the outcome 1 of 
the QCF. This implies that a QCF must be unbiased on 
both Alice and Bob's sides simultaneously, so that it is 
indistinguishable from a black-boxed coin flip. 

So, let us now prove Eq. JTJ. The general action of 
dishonest Alice when deciding on the bias of a black- 
boxed coin flip is described by a POVM {L e } of the A 
qubit (J deL\L t = 1^). The probability of the outcome 
is then biased to ^ + e, and |$(o))ab will be checked by 
Bob with this probability. Before sending the A qubit, 
she can apply a trace-preserving operation regarding e, 
but this is included in L e . Moreover, the singlet fraction 
T(a) = {<t>\a\4>) is bounded as F{o) < [tra + N B (a)]/2, 
where N B {cr) is negativity [l3[ [the subscript denotes the 
partial transposition with respect to the B qubit] . Since 
Nb is an entanglement monotone (l5l | , the average cannot 
be increased by the local operation of the POVM. Hence, 

Pd=£&( X i + e)tr[L e |$( a ))($( a )|Lt(/-|0)<^|)] 
> Kf+ £ min)[l- / deN B {L e \®{a)){${a)\Ll)] 



> i(i + e mi „)[l-V B (|$(a) 



(7) 



and we have Eq. (P), because N B (\$(a))) = 2^0,(1 — a). 

So far, we have focused on the comparison through 
Pd- Now, we concentrate on a case where Pd = 0; the 
probability of detecting cheating is strictly zero, and so 
the state of the AB qubits must be precisely \<f>) when 
it is checked in the stage 3. The performance of the 
protocol 1 is then characterized by the maximal allowed 
value of a for a dishonest party. Suppose again that Alice 
is dishonest. For a black-boxed coin flip, it is found from 
Eq. {T]) that a=h must hold regardless of the bias range; 
so she cannot cheat at all under P^ = 0, as expected. For 
a QCF, however, it is found from Eq. (0| that P® = 
even for a > 1/2 if F — 1 . This occurs for an arbitrary 
pair of biasing operations as far as the pair of operations 
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satisfies F — 1. So, by replacing e max and e m ; n in Eq. 
(fJJ with e' and e", respectively, we have P® = if a = 
l/2+(e'-e")/[2(l+c'V)] and F(g' Bfi , g' Bfi ) = 1. Basically, 
if the QCF has a property of 

e'-e" 

Aa = max — - — > 0, (8) 

e',e",F=l 2(l + e' + e") 

Alice can successfully cheat because a = 1/2 + Aa > 1/2 
while P^ — 0. The maximization in Eq. is taken over 
all the pairs of the two biasing operations (e' and e") 
subject to F(g' B , q" b ) = 1. Such a QCF also cannot 
provide the performance of a black-boxed coin flip, and 
even allows the cheating that is completely prohibited by 
a black-boxed coin flip. Note that the same discussion 
holds again for dishonest Bob [e' and e" are those for the 
outcome 1 and F(g' A 1 , g' A1 ) = V\. 

As a simple example, let us analyze the following pro- 
tocol [l6| (this is not a true QCF because the probability 
of the outcome is not 1/2 even if both are honest, but 
the above cheating strategy is applicable): 

Protocol 2 ( QCF like): Alice prepares \(f))cD and sends 
the D qubit to Bob. He optionally checks \4>)cd (getting 
the C qubit). If he uses the option, this protocol auto- 
matically outputs 1. Otherwise, he measures the D qubit 
in the {|0), |1)} basis, sends the result to Alice, and she 
confirms the validity by measuring the C qubit. This 
protocol then outputs the measurement result. 

In this protocol, it is confirmed that F(g' A x , g' A x ) = 1 
for Bob's two biasing operations of (i) he always uses the 
option (e' = 1 /2), and (ii) he measures the D qubit, and if 
the result is 1, he uses the option (e" = 0). Hence, we have 
Aa> 1/6 and a>2/3 from Eq. ©. On the other hand, 
it can be shown that a < 2/3 for Bob's general action 
[T3|. Therefore, it is found that the cheating strategy 
considered in this paper has optimally maximized a under 
Pd — 0. This is the case for the 3-round protocol in 8| 
(a = cos-|) and for the optimal 3-round protocol in 6j 
(a = 3/4), for which we assumed dishonest Bob. Apart 
from the optimality of the strategy, the QCF protocols 
of [tj [ljl EH also have the property of Aa > 0, at least, 
on either side of parties. 

As mentioned before, the situation considered in this 
paper is analogous to quantum bit escrow [8j (it is in fact 
regarded as its entanglement version). 

Protocol 3 (quantum bit escrow) 

Stage 1 (commitment): To commit to 6 = (1), Alice 
prepares either |0)s or \—)b or each with 

probability 1/2, which is written as \£,bx) where x denotes 
the encoding basis. She then sends the B qubit to Bob. 

Stage 2 (opening): Alice reveals 6. 

Stage 3 (verification) : Either Alice or Bob obtains the 
B qubit and checks whether or not it is \£bx) to detect 



cheating (Alice reveals x if Bob checks the state) . 

This is a weak variant of QBC such that either Alice or 
Bob can detect cheating with nonzero probability. The 
question of whether or not it is possible to use a biased 
QCF for the purpose of deciding which party will check 
the B qubit in the stage 3 was raised in Q. If this is so, 
the resultant protocol is cheat-sensitive QBC (CSQBC) 
[li EBl j which enables both to detect cheating, albeit with 
smaller nonzero probability. 

However, since the resultant CSQBC has the same 
structure as in the protocol 1, it struggles with the dif- 
ference between a QCF and a black-boxed coin flip. For 
example, if Aa > 0, dishonest Bob can steal partial infor- 
mation about b before the opening stage by a POVM like 
in Eq. ([6j) (whose {|0), |1)} basis is re pla ced by an appro- 
priate one to steal the information :.17j)- Alice cannot 
detect his cheating because he can precisely recover \£bx) 
from a state collapsed by the POVM whenever he loses 
the QCF, as he recovers \<j>) from |$(a)) or |$(1 — a)). 
Likewise, if Aa>0, dishonest Alice can chan ge t he prob- 
ability of revealing b = in the opening stage [18f . There- 
fore, a QCF that is combined with bit escrow should not 
satisfy Eq. ([8]) on both sides of parties. Unfortunately, 
this is not the case in the example of CSQBC suggested in 
and even in [16| . We described the cheating method 
for those in [l7|]. Note that, as far as we know, an ex- 
plicit protocol for secure CSQBC has not been found yet 
[IT]], contrary to the widespread belief that CSQBC is 
possible. 

To summarize, we considered the problem of sharing 
and maintaining entanglement between distrustful par- 
ties, and showed that a QCF cannot provide the perfor- 
mance of a black-boxed coin flip, if it satisfies the fidelity 
conditions of Eqs. ([5]) or JS]). Such a QCF obviously 
does not fulfill the conditions for universally composable 
(UC) security [19]; the demands for ensuring the secu- 
rity of a cryptographic primitive regardless of how it is 
used in applications [20j. This result is quite contrast to 
quantum key distribution (QKD), where a QKD protocol 
is automatically UC secure if it satisfies the general se- 
curity conditions (2lj . Moreover, through a comparison 
within a small restricted bias range, we showed that an 
arbitrary QCF is distinguishable from a black-boxed coin 
flip unless it is unbiased on both sides of parties against 
insensitive cheating, i.e., unless it is a cheat-sensitive un- 
biased QCF. Finally, we discussed the relation to CSQBC 
constructed from bit escrow and a QCF, and pointed out 
the difficulty in developing secure CSQBC in terms of 
the uncomposability condition of Eq. ([8]). We wish these 
results could shed some light on the important open prob- 
lem of whether or not quantum mechanics enables cheat- 
sensitive bit commitment and cheat-sensitive unbiased 
coin flipping. 
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